ci: harden run blocks against template injection

fabriziosestito · fabriziosestito · commit 529652481356 · 2026-04-28T09:25:33.000+02:00
Signed-off-by: Fabrizio Sestito &lt;fabrizio.sestito@suse.com&gt;
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
@@ -20,6 +20,9 @@ jobs:
     env:
       CRANE_VERSION: v0.20.5
       CRANE_CHECKSUM: ad4cd9af2568c62c97e346de6d1295ee8c6ce3341f7b71cf02d41292b4532680
+      COMPONENT: ${{ inputs.component }}
+      ARCH: ${{ inputs.arch }}
+      GH_REF: ${{ github.ref }}
 
     steps:
       - name: Install cosign
@@ -50,28 +53,28 @@ jobs:
         working-directory: ${{ runner.temp }}/digests
         run: |
           set -e
-          DIGEST=$(cat ${{ inputs.component }}-${{ inputs.arch }}.txt)
+          DIGEST=$(cat "${COMPONENT}-${ARCH}.txt")
           echo "DIGEST=${DIGEST}" >> "$GITHUB_ENV"
       - name: Find attestation digest
         run: |
           set -e
-          DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ inputs.component }}@${{ env.DIGEST }} \
+          DIGEST=$(crane manifest "ghcr.io/${{ github.repository_owner }}/sbomscanner/${COMPONENT}@${DIGEST}" \
           | jq -r '.manifests[]
             | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
             | .digest')
           echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
       - name: Find provenance manifest digest
         run: |
           set -e
-          DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} |
+          DIGEST=$(crane manifest "ghcr.io/${{ github.repository_owner }}/sbomscanner/${COMPONENT}@${ATTESTATION_MANIFEST_DIGEST}" |
                       jq -r '.layers[]
                         | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1")
                         | .digest')
           echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
       - name: Find SBOM manifest layer digest
         run: |
           set -e
-          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
+          DIGEST=$(crane manifest "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${ATTESTATION_MANIFEST_DIGEST}" |  \
             jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
           echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
@@ -81,30 +84,30 @@ jobs:
       - name: Download provenance and SBOM files
         run: |
           set -e
-          crane blob ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.PROVENANCE_DIGEST}} \
-            > SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
-          crane blob ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.SBOM_DIGEST}} \
-            > SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
+          crane blob "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${PROVENANCE_DIGEST}" \
+            > "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl"
+          crane blob "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${SBOM_DIGEST}" \
+            > "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json"
       - name: Sign provenance and SBOM files
         run: |
           set -e
           cosign sign-blob --yes \
-            --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \
-            SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
+            --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl.bundle.sigstore" \
+            "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl"
           cosign verify-blob \
-            --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \
+            --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl.bundle.sigstore" \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${{ github.ref }}" \
-            SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
+            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${GH_REF}" \
+            "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl"
 
           cosign sign-blob --yes \
-            --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \
-            SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
+            --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json.bundle.sigstore" \
+            "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json"
           cosign verify-blob \
-            --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \
+            --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json.bundle.sigstore" \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${{ github.ref }}" \
-            SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
+            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${GH_REF}" \
+            "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json"
 
       - name: Upload SBOMs as artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -72,10 +72,12 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ steps.build-image.outputs.digest }}
 
       - name: Verify container image signature
+        env:
+          GH_REF: ${{ github.ref }}
         run: |
           cosign verify \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${{ github.ref }}" \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${GH_REF}" \
             ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ steps.build-image.outputs.digest }}
 
       - name: Export digest
@@ -127,8 +129,10 @@ jobs:
 
       - name: Retrieve tag name (release)
         if: ${{ !startsWith(github.ref, 'refs/heads/main') }}
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          echo TAG_NAME=${{ inputs.version }} >> $GITHUB_ENV
+          echo "TAG_NAME=${VERSION}" >> "$GITHUB_ENV"
 
       - name: Create and push multi-arch manifest for ${{ matrix.component }}
         id: create-manifest
@@ -182,10 +186,12 @@ jobs:
           echo "MULTI_ARCH_MANIFEST_DIGEST=$multi_arch_manifest_digest" >> $GITHUB_ENV
 
       - name: Verify multi-arch manifest signature
+        env:
+          GH_REF: ${{ github.ref }}
         run: |
           cosign verify \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${{ github.ref }}" \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${GH_REF}" \
             ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ env.MULTI_ARCH_MANIFEST_DIGEST}}
 
   attest:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,8 +22,10 @@ jobs:
     steps:
       - name: Retrieve tag name
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
+          echo "TAG_NAME=${REF_NAME}" >> "$GITHUB_ENV"
       - name: Get release ID from the release created by release drafter
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
